From owner-freebsd-questions  Thu Apr  3 21:19:10 1997
Return-Path: <owner-questions>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id VAA16710
          for questions-outgoing; Thu, 3 Apr 1997 21:19:10 -0800 (PST)
Received: from gdi.uoregon.edu (gdi.uoregon.edu [128.223.170.30])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA16705
          for <questions@freebsd.org>; Thu, 3 Apr 1997 21:19:08 -0800 (PST)
Received: from localhost (dwhite@localhost) by gdi.uoregon.edu (8.8.5/8.6.12) with SMTP id VAA00767; Thu, 3 Apr 1997 21:18:13 -0800 (PST)
Date: Thu, 3 Apr 1997 21:18:13 -0800 (PST)
From: Doug White <dwhite@gdi.uoregon.edu>
X-Sender: dwhite@localhost
Reply-To: Doug White <dwhite@resnet.uoregon.edu>
To: Lars Jonas Olsson <ljo@mcs.net>
cc: questions@freebsd.org
Subject: Re: Firewall for internal DNS server?
In-Reply-To: <199704022014.OAA00341@Jupiter.Mcs.Net>
Message-ID: <Pine.BSF.3.96.970403211107.464H-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Wed, 2 Apr 1997, Lars Jonas Olsson wrote:

>  I have a FreeBSD machine that's connected to internet and local LAN.
> The LAN has IP #s 10.x.x.x. The FreeBSD server runs sendmail, popper,
> squid, and named (DNS). The FreeBSD server does not forward packets.
> 
>  DNS is setup to be primary for 10.x.x.x and caching for everything
> else.
> 
>  There is currently no firewall or tcpwrappers etc running on server.
> Most services have been disabled and only a few people have login
> accounts. Many more have POP accounts with no login shell and no login
> directory.
> 
>  What's the best way to keep outside people from using the DNS server
> on the FreeBSD host? We only want to be able to get mail via pop and
> send mail via smtp from outside.

Block inbound connections on port 53 on your firewall.  A run through the
BIND Operator's Guide doesn't locate any keywords that can restrict
queries from specific machines, so you'll have to block the port.  (Why
someone would want to ask your nameserver for obviously bogus information
I don't know.) 

Doug White                              | University of Oregon  
Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
http://gladstone.uoregon.edu/~dwhite    | Computer Science Major